package com.neusoft.elmboot.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

import java.util.List;

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
public class SecurityConfig {

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder(){
        return new BCryptPasswordEncoder();
    }

//    @Override
//    protected void configure(HttpSecurity http) throws Exception {
//        http.authorizeRequests()
//                .antMatchers("/elm/**").permitAll()
//                .anyRequest().permitAll()
//                .and()
//                .csrf().disable()
//                .cors().configurationSource(corsConfigurationSource())
//                .and()
//                .headers().addHeaderWriter(new StaticHeadersWriter(Arrays.asList(
//                        new Header("Access-control-Allow-Origin","*"),
//                        new Header("Access-Control-Expose-Headers","token"))))
//                .and()
//                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
//                .and();
//    }
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {

    // Disable CSRF and session management
    http
            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
            .csrf(AbstractHttpConfigurer::disable)
            .sessionManagement(
                    sessionManagement -> sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            );

    http.logout(AbstractHttpConfigurer::disable);

    // Set Authorization Policy
    http.authorizeHttpRequests(
            authorizeRequests -> authorizeRequests
                    .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                    .requestMatchers(HttpMethod.POST, "/elm/**").permitAll()
                    .requestMatchers(HttpMethod.GET, "/elm/**").permitAll()
                    .requestMatchers(HttpMethod.POST, "/wallet/**").permitAll()
                    .requestMatchers(HttpMethod.POST, "/point/**").permitAll()
                    .requestMatchers(HttpMethod.GET, "/point/**").permitAll()
                    .requestMatchers(HttpMethod.GET, "/img/**").permitAll()  // 允许访问图片资源
                    .anyRequest().authenticated()
    );

    return http.build();
}

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(List.of("*"));
        configuration.setAllowedMethods(List.of("*"));
        configuration.setAllowedHeaders(List.of("*"));
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

}


